github_mirrors/go-zero
1
0
Fork 0
mirror of https://github.com/zeromicro/go-zero.git synced 2025-02-02 16:28:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-fgxv-gw55-r5fq

Browse Source 
* fix: Authorization Bypass Through User-Controlled Key

* chore: add not safe domain test
This commit is contained in:
Kevin Wan 2023-03-04 23:34:11 +08:00 committed by GitHub
parent d953675085
commit d9d79e930d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
rest/internal/cors/handlers.go
View File

@ -77,12 +77,18 @@ func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string
} }
func isOriginAllowed(allows []string, origin string) bool { func isOriginAllowed(allows []string, origin string) bool {
for _, o := range allows { origin = strings.ToLower(origin)
if o == allOrigins { for _, allow := range allows {
if allow == allOrigins {
return true return true
} }
if strings.HasSuffix(origin, o) { allow = strings.ToLower(allow)
if origin == allow {
return true
}
if strings.HasSuffix(origin, "."+allow) {
return true return true
} }
} }

5
rest/internal/cors/handlers_test.go
View File

@ -53,6 +53,11 @@ func TestCorsHandlerWithOrigins(t *testing.T) {
origins: []string{"http://local", "http://remote"}, origins: []string{"http://local", "http://remote"},
reqOrigin: "http://another", reqOrigin: "http://another",
}, },
{
name: "not safe origin",
origins: []string{"safe.com"},
reqOrigin: "not-safe.com",
},
} }
methods := []string{ methods := []string{